The LDAP Related Projects of Adam Tauno Williams
This page has been and is no longer maintained. See www.whitemiceconsulting.com.
Maintainer mailto: Adam Tauno Williams
Return To Main Page
Member of the Kalamazoo Linux User's Group.
Support Your LUG!!!
Last Updated: 05 January 2004
LDAP PROJECTS
PPPD+LDAP: I've got the source code for a version of pppd meant to be used with the PoPToP PPTP VPN server. This version of pppd 2.4.1 includes the MPPE and "Strip M$ Domain" patches. Simply install and create a chap-secrets line like:
* * &uid?(morrisonvpnaccess=Y)(objectclass=posixAccount)?ou=People,o=Morrison\ Industries,c=US *
This uses the first "?" delimited value as the key to lookup the user's object. The second parameter is any additional filters you wish to apply. The third parameter is the search base. So if "fred" attempts to establish a VPN connection PPPD will attempt to get the "ntpassword" attribute from the first object matching "(&(uid=fred)(morrisonvpnaccess=Y)(objectclass=posixAccount))" beneath "ou=People,o=Morrison\ Industries,c=US". The only hardcoded value is the name of the ldap server, which is hardcoded to "ldap".
I've gotten several e-mails about this one, as it seems to have resulted in some confusion. I am NOT running the LDAP server on NT, it is OpenLDAP on an RH box that is also a Samba PDC. The NT-Hashes of the password, as they are stored in /usr/local/samba/private/smbpasswd are loaded into each user's LDAP object in the "ntpassword" attribute. I assume you can get the NT-Hashes from an NT PDC's SAM database as well, but I don't know how. The Samba Web Site has some perl scripts that seem to claim to do this exact thing (pulling NT-Hashes from the SAM), but I have not used them as I don't have an NT PDC. Feel free to e-mail me with questions, just not about integration with a "real" NT domain, as I won't be able to help you.
Download ppp-2.4.1LDAP.tgz
NOTE: THIS DOES NOT WORK FOR RECENT VERSION OF PPPD OR ON RECENT DISTRIBUTIONS, IT JUST CAUSES A SIG 11 AND PPPD DIES! I DON'T KNOW WHY AND DON'T HAVE TIME TO LOOK INTO IT; BUT THE PRINCIPLE IS SOUND SO ******** ARE FREE TO FIX IT OR REWRITE IT. PLEASE E-MAIL ME IF YOU DO GET SOMETHING WORKING. DO NOT NOT E-MAIL ME ABOUT HOW TO MAKE IT WORK.
LDAP2NIS: ldap2nis collects data from an LDAP server and writes to standard out maps appropriate for use with makedbm in the construction of tables for a traditional ypserv process. This way if you have old hosts or UNIX versions that don't support PAM you can export your LDAP data to a NIS server. A command like the following writes the group.bygid map.
ldap2nis -mapkey gidnumber -minkey gidnumber -minval 0 \
-objectclass posixgroup -host littleboy \
-basedn "o=Morrison Industries, c=US" \
-map "cn,userpassword,gidnumber,memberuid" | \
/usr/lib/yp/makedbm -i /etc/group -m littleboy \
-o morrison - group.bygid
This gets the attributes cn, userpassword, gidnumber, and memberuid (-map) from all objects with an objectclass of posixgroup (-objectclass) and writes a map file with a key of gidnumber (-mapkey). Records with a gidnumber (-minkey) less than 0 (-minval) are not written to the map. The makedbm command is usually used by the make file in /var/yp (or someplace equivalent) to build the NIS maps from the system flat files. makedbm wants a key, a tab, and the line corresponding line of the file, which is exactly what ldap2nis outputs. Fields in the map are colon delimited, and if an LDAP attribute is multi-valued (such as memberuid) it writes each value to the map field seperated by a comma, just as would be seen in a traditional /etc/group. If ldap2nis is unable to find a value for a specified attribute it outputs "!!" for that field. If the LDAP attribute is "userpassword" it removes everything up to and including the first closing curly brace "}".
Download ldap2nis.c
Compile the above C file with a command like: gcc -llber -lldap -o ldap2nis ldap2nis.c
getuidattr A very simple C program that returns an attribute associated with a posixAccount object with a given "uid" attribute. This is primarily meant for use in shell scripts than need to know a couple of things about a user.
Example: ./getuidattr -u steve -a cn returns Steve VanderZouwen.
Download getuidattr.c
Compile the above C file with a command like: gcc -llber -lldap -o getuidattr getuidattr.c
Bind SDB/LDAP RPMs These are binary and source RPMs of Bind for Redhat 9 (may work on other platforms) with the SDB/LDAP connector built in. See the LDAPv3 presentation for how to configure and use this.
bind-9.2.1-16sdbldap.i386.rpm
bind-9.2.1-16sdbldap.src.rpm
bind-devel-9.2.1-16sdbldap.i386.rpm
bind-utils-9.2.1-16sdbldap.i386.rpm
The home page for the LDAP/SDB code is http://www.venaas.no/ldap/bind-sdb/
gq RPM This is a binary RPM of the excellent GQ LDAP client, compiled for either RedHat 7.2 or RedHat 8.0. This differs from most GQ RPM's in that Kerberos V, Browser Drag-n-Drop, and client side cache are all enabled. Most importantly this means that you need to have the krb5-libs package installed for this to work.
gq-0.6.0-2.rh80.i386.rpm w/Kerberos(RedHat 8.0)
gq-0.6.0-2.rh72.i386.rpm w/Kerberos(RedHat 7.2)
For RedHat 9 users here is a gq RPM of 0.7beta2 with langpack 1. This also has Kerberos V support, Drag-n-Drop, and client side cache enabled.
gq-0.7.0beta2-0.i386.rpm w/Kerberos(RedHat 9.0)
The GQ homepage is http://biot.com/gq/
Schema Files This is a small collection of useful but hard to come by schema files for OpenLDAP. These are presented as-is, and unless noted have not been modified (fixed) from their original content.
evolutionperson.schema (Special attributes and object classes used by at least Evolution 1.0.8)
rfc2739.schema (Calendering information such as free/busy URIs.)
dnszone.schema (Used to support Bind SDB LDAP, DNS via LDAP)
ldap-printer.schema
ldap-slp.schema
rolodap.schema
dice.schema
dhcp.schema (Used with the patched ISC DHCP server.)
officeperson.schema*
(M$-Outlook likes this one. Do you actually use Outlook?! I happen to know a really good shrink...)
*This one has the 'otherFacsimiletelephoneNumber' attribute commented out as it conflicts with the same value provided by evolutionperson. If your not also supporting Ximian Evolution (Why?) then simply uncomment that attribute definition.
LDAP enabled DHCP server: These RPMs use the ISC DHCP LDAP patch discussed in the LDAP presentation to enable the DHCP to use an LDAP DSA as its configuration repository.
dhcp-ldap-3.0pl1-9.i386.rpm
dhcp-ldap-devel-3.0pl1-9.i386.rpm
dhcp-3.0.1rc9-ldap-patch
dhcp-ldap-3.0pl1-9.src.rpm
The homepages for the DHCP/LDAP patch are http://www.lunytune.net/isc-ldap.html and http://www.newwave.net/~masneyb/
The Presentation: This PDF represents my ongoing (and possibly primary) project to document the use of directory services with OpenLDAP in conjunction with other Open Source projects. File: ldapv3.pdf. If you wish to recieve announcements about these projects as well as updates and additions to the LDAP presentation you can subscribe to the KLUG LDAP Announce mailling list. This is a very low volume announcement only mailling list. A printer friendly B&W 6-up version of the October 28th version of the presentation has been produced: Printer Friendly Version (Courtesy of Jim C at tsunamicomm.net).